rhcsa rhce exam questions Advanced Practice Exam: Hard Questions 2025

You inherit an Ansible project where a playbook behaves differently when run with `ansible-playbook` versus when executed by an automation controller job template. The project contains `ansible.cfg`, and the controller inventory defines its own variables. The playbook relies on a custom module and a filter plugin stored in the repository. Which approach most reliably ensures the same configuration and plugin resolution is used in both environments without relying on a specific current working directory?

A hardened environment requires that managed nodes only allow automation via a dedicated user `svc-ansible` authenticated with SSH keys, and privilege escalation must be possible only for a restricted set of tasks. Your playbook currently uses `become: true` broadly and intermittently fails with "sudo: a password is required" on some hosts. Which design best meets the security requirement and improves reliability across heterogeneous sudo policies?

You must configure 200 managed nodes where Python is inconsistent: some have `/usr/bin/python3`, others only `/usr/libexec/platform-python`. Facts gathering fails on a subset, but you are not allowed to install new packages before Ansible can run. Which approach is the most robust to bootstrap connectivity and allow subsequent configuration tasks to standardize Python?

A playbook updates a critical config file and restarts a service. During an incident review, you discover the service restarted even when the file content did not change, causing unnecessary outages. The tasks use a templated file and a handler, but the handler was triggered on every run. Which is the best troubleshooting conclusion and fix?

You need to roll out a kernel parameter change and reboot only the hosts where the parameter actually changed. Additionally, you must ensure that reboots occur one host at a time per rack (inventory group `racks` contains children `rack01`, `rack02`, etc.). Which playbook pattern best satisfies correctness and minimizes disruption?

A role manages `/etc/app/app.conf` using a template and must allow host-specific overrides while preserving safe defaults. Some hosts define `app_config_overrides` as a dict in host_vars. The current implementation uses `{{ app_defaults | combine(app_config_overrides) }}` but on hosts without overrides the role fails with an undefined variable error. What is the most robust fix while keeping precedence correct (overrides win) and avoiding surprises?

You have a multi-role play where Role A creates firewall rules and Role B deploys an application that must immediately open a port during the same run. Sometimes the application starts before the firewall handler reload occurs, causing health checks to fail. Both roles use handlers that reload firewalld. Which solution best guarantees correct ordering while keeping roles reusable?

Your organization requires that database credentials are stored encrypted with Ansible Vault, but the same playbook must be runnable in CI and in a controller without prompting. You also must prevent accidental plaintext secrets from being committed. Which approach best satisfies these constraints?

A playbook must consume a vault-encrypted YAML file that contains both secrets and non-secret configuration. Different teams need to edit non-secret values without vault access, but secrets must remain protected. What is the best practice design to meet this requirement with minimal operational friction?

You need to consume a role from Ansible Galaxy but must ensure repeatable builds in air-gapped environments. The role’s upstream releases sometimes introduce breaking changes. Which workflow best ensures deterministic deployments while still allowing controlled updates?